#18 implement properties.timeout for account().tokens.add(properties)

[vkai]

closes #18

[vkai]

@gr2m the hoodie-account-server-api doc lists under api.account().tokens.add() that the token would store the creation date "createdAt": "2016-01-01T00:00:00.000Z". However, when writing my integration test, I created a token that did not automatically include the "createdAt" property. I ended up adding the property manually for the purposes of the test.

Am I missing something about how the tokens should work?

[gr2m]

you are right, the token methods have been added in a hurry as it looks, there seem rather incomplete
https://github.com/hoodiehq/hoodie-account-server-api/blob/82bf25c47839818d4eb73467b8ba500074804f67/lib/utils/add-token-to-user-doc.js

We usually start with a README for a new project and then implement it backwards, so it’s possible that we sometimes miss things. I agree that we need the createdAt timestamps in order for timeout to be useful. I would add it to the add-token-to-user-doc.js itself, instead of adding it test

[gr2m]

you can leave out the Date.now(), new Date() should do the same thing.
You can also shorten the two lines to token.createdAt = new Date().toISOString() if you don’t use the now variable anywhere else

[gr2m]

I’m sorry I should have thought about this earlier, but can we add another timestamp expiresAt instead of adding a timeout property? It will be simpler to lookup later as we can directly look for that property without any calculation. Or do you see any downside with that approach?

[vkai]

No I agree that would be a more practical approach, as well as more conventional. I'll change it!

[gr2m]

you’re the best 🙌

[gr2m]

This looks all good 👍 thanks!

Only thing left is to update the README now, where it still says "TO BE DONE" for properties.timeout in the options table for api.account().tokens.add()

[vkai]

I've removed the "TO BE DONE" note for properties.timeout as well as properties.type as that was pushed as part of #36 that @Taekyoon and I worked on last.

[gr2m]

Hey I’m so sorry, I found another bug right now, you put in the check for sessions.add, but we also use the token authentication in other places. I think we should put in the check into find-user-doc-by-username-or-id-or-token.js as it’s used in all the places. Could you make that change, please?

[vkai]

@gr2m, no worries, that makes more sense. Long post ahead...

I think I've found a bug that came up in email-verification-test.js#L35 when I moved the expiration check to find-user-doc-by-username-or-id-or-token.js.

account().tokens.find() returns the token "as is" from the userdoc without an id property. When api.accounts.update() is called in email-verification-test.js, there is no id property on token. Follow the code down to find-user-doc-by-username-or-id-or-token.js#L34 and there's no tokenId for the db query.

The test still works because the query would still respond with the userdoc (not sure how that works). Is this by design? This creates a problem because I've moved the expiration check into that snippet:

  return db.query('byToken', {
    key: tokenId,
    include_docs: true
  }).then(function (response) {
    if (response.rows.length === 0) {
      throw PouchDBErrors.MISSING_DOC
    }

    var doc = response.rows[0].doc
    if (isTokenExpired(doc.tokens[tokenId])) {
      return Promise.reject(errors.TOKEN_EXPIRED)
    }

    return doc
  })

tokenId is undefined by this point, and thus I can't check if the token is expired. Does my check make sense there? If that makes sense, then I would change email-verification-test.js to use a preset token id. What do you think?

[gr2m]

can you push your current state please?

account().tokens.find() returns the token "as is" from the userdoc without an id property

That sounds like a bug, the id property should definitely be returned. We have to add logic around

hoodie-account-server-api/lib/utils/find-user-doc-by-username-or-id-or-token.js

Line 41 in 82bf25c

return response.rows[0].doc

where we set the id before returning the doc, I think?

[vkai]

I've pushed my current state with email-verification-test.js still failing.

If the id should be returned with the token, that would solve the problem. api.account().tokens.add() works because add-token-to-user-doc.js#L23 adds the id back to the token object before returning. If find() should also return the id, should we be deleting the id property from the token in the first place? add-token-to-user-doc.js#L16

[gr2m]

If find() should also return the id, should we be deleting the id property from the token in the first place? add-token-to-user-doc.js#L16

yes, because it would be the same value as the tokens key and there would be a risk for corrupt data where the tokens would be different from the id property of the token

[vkai]

I see. Ok then I will go ahead and add the id to the result of find() as well.

[gr2m]

great work 👍👏

[gr2m]

If you like, you could work on code coverage for hoodie-account-server-api, it’s currently at . Let me know if you are interested, I can put together an issue with some more information on how to do that :)

[vkai]

@gr2m sure that sounds great!

[gr2m]

@vkai awesome! I made this for you: #46